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Abstract — This paper develops a novel framework for sharing 
secret keys using the Automatic Repeat reQuest (ARQ) proto- 
col. We first characterize the underlying information theoretic 
limits, under different assumptions on the channel spatial and 
temporal correlation function. Our analysis reveals a novel role 
of "dumb antennas" in overcoming the negative impact of 
spatial correlation on the achievable secrecy rates. We further 
develop an adaptive rate allocation policy, which achieves higher 
secrecy rates in temporally correlated channels, and explicit 
constructions for ARQ secrecy coding that enjoy low imple- 
mentation complexity. Building on this theoretical foundation, 
we propose a unified framework for ARQ-based secrecy in Wi- 
Fi networks. By exploiting the existing ARQ mechanism in 
the IEEE 802.11 standard, we develop security overlays that 
offer strong security guarantees at the expense of only minor 
modifications in the medium access layer. Our numerical results 
establish the achievability of non-zero secrecy rates even when 
the eavesdropper channel is less noisy, on the average, than the 
legitimate channel, while our linux-based prototype demonstrates 
the efficiency of our ARQ overlays in mitigating all known, 
passive and active, Wi-Fi attacks at the expense of a minimal 
increase in the link setup time and a small loss in throughput. 



I. Introduction 

The recent flurry of interest on wireless physical layer 
secrecy is inspired by Wyner's pioneering work on the wiretap 
channel [I] which establishes the achievability of perfectly 
secure communication by hiding the message in the additional 
noise level seen by the eavesdropper More recently, the effect 
of fading on the secrecy capacity was studied in which it was 
shown that, by appropriately distributing the message across 
different fading realizations, the multi-user diversity gain can 
be harnessed to enhance the secrecy capacity, e.g. Q, fS). 
Independent and parallel to our work, the authors of ID, ||5l, 
(l6l considered using the well-known Hybrid ARQ protocol 
to facilitate the exchange of secure messages over fading 
channels. One innovative aspect of our framework, compared 
to m, is the distribution of key bits over an asymptotically 
large number of ARQ epochs. This approach allows for 
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overcoming the secrecy outage phenomenon observed in ID 
at the expense of increased delay. Contrary to |l6l, we build an 
information theoretic foundation for key sharing through ARQ 
which inspires low complexity implementation of practical 
coding schemes and reveals a novel role of dumb antennas in 
overcoming the negative impact of spatial correlation, between 
the legitimate and eavesdropper channels, on the achievable 
key rate. Moreover, we propose a new greedy rate adaptation 
algorithm that is capable of transforming the temporal corre- 
lation in the legitimate channel into additional gains in the 
secrecy rate. 

Building on our information theoretic foundation, we de- 
velop a unified ARQ security framework for Wi-Fi networks 
(ARQ-seCuRity fOr Wireless Networks: ARQ-CROWN); an- 
other distinguishing feature of our work as compared with Q, 
JS], iSJ. This framework is used to construct security overlays 
which provide information theoretic confidentiality guarantees 
to complement the underlying Wi-Fi security protocols. More 
specifically, careful analysis of the state of the art attacks on 
these protocols (e.g., Q, El, 10) reveals that they depend 
critically on the availability of certain security parameters 
as plaintext in the transmitted packets. By judiciously using 
the available ARQ mechanism in the IEEE 802.11 standard, 
our overlays transform those security parameters into a secret 
key that is shared only by the legitimate nodes. Remarkably, 
this goal is achieved through only minor modifications in the 
MAC layer that treat all protocols uniformly, and hence, does 
not entail additional network management tasks. The exper- 
imental results, obtained from our Madwifi driver prototype, 
demonstrate the ability of ARQ-CROWN to defend against 
all known eavesdropping attacks (whether active or passive), at 
the expense of a minor loss in throughput and a small increase 
in link setup time. This, to the best of our knowledge, the 
first attempt to demonstrate the utility of information theoretic 
security concepts in practice. 

The remainder of this paper is organized as follows. We 
develop our information theoretic foundation in Section|II] The 
design of our ARQ secrecy framework for Wi-Fi networks 
is presented in Section |III] Our numerical and experimental 
results are given in Section|lV] SectionlVJoffers some conclud- 
ing remarks whereas the proofs are collected in the appendices 
to enhance the flow of the paper. 

11. Information Theoretic Foundation 

A. System Model and Notations 

Our model assumes one transmitter (Alice), one legitimate 
receiver (Bob), and one passive eavesdropper (Eve). We adopt 
a block fading model in which each channel is assumed to 
be fixed over one coherence interval and changes from one 



interval to the next. In order to obtain rigorous information 
theoretic resuhs, we consider the scenario of asymptotically 
large coherence intervals and allow for sharing the secret key 
across an asymptotically large number of those intervals. The 
finite delay case will be considered in Section III-DI In any 
particular interval, the signals received by Bob and Eve are 
respectively given by, 

yihj) = gb{i)x{i,j)+Wb{i,j), 

z{hi) == 9e{i)x{i,j)+We(i,j), 

where x{i,j) is the j"' transmitted symbol in the i"* block, 
y{i,j) is the j*'' received symbol by Bob in the i*'' block, 
z{i,j) is the j*'' received symbol by Eve in the z*'* block, 
gbii) and gdi) are the complex block channel gains from 
Alice to Bob and Eve, respectively. The channel gains can 
also be written as gb{i) = \/hb{i) cxp{jdh{i)), and, gdi) = 
^Jhe{i) cxp{j9e{i)), where 9b{i) and 9e{i), the phase shifts at 
Bob and Eve respectively, are assumed to be independent in 
all considered scenarios. Moreover, Wb{i,j) and We{i,j) are 
the zero-mean, unit variance white complex Gaussian noise 
coefficients at Bob and Eve, respectively. We do not assume 
any prior knowledge about the channel state information at 
Alice. Bob, however, is assumed to know gb{i) and Eve is 
assumed to know both gb{i) and ge(*) a-priori. We impose 
the following short-term average power constraint 
IE(|a;(*,.7)H<P. 

Our model only allows for one bit of ARQ feedback from Bob 
to Alice. Each ARQ epoch is assumed to be contained in one 
coherence interval (i.e., fixed channel gains) and that different 
epochs correspond to different coherence intervals. The trans- 
mitted packets are assumed to carry a perfect error detection 
mechanism allowing Bob (and Eve) to determine whether the 
packet has been received correctly or not. Bob sends back to 
Alice an ACK/NACK bit, through a public feedback channel 
which is only accessible by Bob but Monitored by Eve. To 
minimize Bob's receiver complexity, we adopt the memoryless 
decoding assumption implying that frames received in error 
are discarded and not used to aid in future decoding attempts. 
Finally, Eve is assumed to be passive (i.e., can not transmit); an 
assumption which can be justified in several practical settings. 
We will argue in Section Hill however, that our approach can 
mitigate all known active attacks on Wi-Fi networks as well. 
In our setup, Alice wishes to share a secret key VF e W = 
{1, 2, • • • , M} with Bob. To transmit this key, Alice and Bob 
use an {M,m) code consisting of : 1) a stochastic encoder 
fm{-) at Alice that maps the key w to a codeword x™ e X"\ 
2) a decoding function (/>: y™ — !• W which is used by Bob to 
recover the key. The codeword is partitioned into a blocks, 
each one corresponds to one ARQ-epoch and contains ni 
symbols where m = ani. Unless otherwise stated, we focus 
on the asymptotic scenario where a — > oo and ni — > oo. 
Alice starts with a random selection of the first block of ni 
symbols. Upon reception. Bob attempts to decode this block. 
If successful, it sends an ACK bit to Alice who moves ahead 
and makes a random choice of the second rii and sends it 
to Bob. Here, Alice must make sure that the concatenation 
of the two blocks belong to a valid codeword. As shown in 



the sequel, this constraint is easily satisfied. If an error was 
detected, then Bob sends a NACK bit to Alice; in which case 
both Alice and Bob will discard this block. Alice will then 
replace the first block of ni symbols with another randomly 
chosen block and transmits it. The process then repeats until 
Alice and Bob agree on a sequence of a blocks, each of length 
ni symbols, corresponding to the key. It is interesting to note 
that this strategy does not include any retransmissions. The 
optimality of this approach, as proved in our main results, 
hinges on this property which minimizes the information 
leakage to Eve. 

The code construction must allow for reliable decoding at 
Bob while hiding the key from Eve. It is clear that the proposed 
protocol exploits the error detection mechanism to make sure 
that both Alice and Bob agree on the key (i.e., ensures reliable 
decoding). What remains is the secrecy requirement which is 
measured by the equivocation rate Re defined as the entropy 
rate of the transmitted key conditioned on the intercepted 
ACKs or NACKs and the channel outputs at Eve, i.e.. 
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i?e = -HiW\Z'\K'>,GlG':) , 
n 

where n is the number of symbols transmitted to exchange 

the key (including the symbols in the discarded blocks due to 

decoding errors), h = a—, K^ ~ {A' (1), • • • , K{b)} denotes 

sequence of ACK/NACK bits, G^ and Gg are the sequences 

of channel coefficients seen by Bob and Eve in the b blocks, 

and Z" = {Z(l), • • • ,Z{n)} denotes Eve's channel outputs 

in the n symbol intervals. We limit our attention to the perfect 

secrecy scenario, which requires the equivocation rate i?e to 

be arbitrarily close to the key rate. The secrecy rate Rs is said 

to be achievable if for any e > 0, there exists a sequence of 

codes (2"-^^% m) such that for any m > m{e), we have Rg = 

^H[W\Z'\K^, Gl, G\) > Rs-e, and the key rate for a 

given input distribution is defined as the maximum achievable 

perfect secrecy rate with this distribution. 

B. Main Result 

Our main result is derived for the scenario where the 
feedback channel is error free and he , hb vary independently 
from one block to another according to a joint distribution 
/ {hb, he). We will consider the effect of spatial and temporal 
correlation in Section III-CI The following result characterizes 
the Gaussian key rate under these assumptions. 

Theorem 1: The key rate for the memoryless ARQ protocol 
with Gaussian inputs is given by: 



C(9) 



max E 

Ro.P<P 



{[Ro-log2il + heP)]^ 
l{Ro<\og^il + hbP))Y 



(1) 



for a fixed average power P < P and transmission rate 
i?o- [x]^ = max(0,a;) and I(.t) = 1 if a; is true and 
otherwise. For the special case of spatially independent fading, 
i.e. f{hb,he) ~ f{hb)f{he)) the above expression simplifies 
to 

' (2) 

E[i?o-log2(l + /jeP)]'^}. 



max 
Ro.P<P 



{Pr(i?o < log2 (1 + hbP) ; 



A few remarks are now in order. 

1) It is clear from ([T]i that a positive secret key rate is 
achievable under very mild conditions on the channels 
experienced by Bob and Eve. More precisely, unlike 
the approach proposed in |]4|, Theorem [T] establishes 
the achievability of a positive perfect secrecy rate by 
appropriately exploiting the ARQ feedback even when 
Eve's average SNR is higher than that of Bob. 

2) Theorem[T]characterizes the fundamental limit on secret 
key sharing and not message transmission. The differ- 
ence between the two scenarios stems from the fact that 
the message is known to Alice before starting the trans- 
mission of the first block, whereas Alice and Bob can 
defer the agreement on the key till the last successfully 
decoded block. This observation was exploited by our 
approach in making Eve's observations of the frames 
discarded by Bob, due to failure in decoding, useless. 

3) It is intuitively pleasing that the secrecy key rate in 
(|2]i is the product of the probability of success at 
Bob and the expected value of the additional mutual 
information gleaned by Bob, as compared to Eve, in 
those successfully decoded frames. 

4) The achievability of ^ hinges on a random binning 
argument which only establishes the existence of a 
coding scheme that achieves the desired rate. Our result, 
however, stops short of explicitly finding such optimal 
coding scheme and characterizing its encoding/decoding 
complexity. This observation motivates the development 
of the explicit secrecy coding schemes in Section III-DI 

5) In the aforementioned security protocol, using a noisy 
feedback channel will lead to mis-synchronization be- 
tween Alice and Bob. This problem can be easily 
overcome at the expense of a larger overhead in the 
feedforward channel. Alice would include all the history 
of received ACK/NACK in each frame. Once an ACK 
is received, Alice will be assured that Bob has correctly 
received the past history. Alice will then flush the 
past history and will only include the recently received 
ACK/NACK messages in future transmissions. Addi- 
tionally, one may be tempted to assume that the noisy 
feedback from Bob to Eve will allow for increasing 
the secret key capacity. Unfortunately, Eve can easily 
overcome the loss of ACK bits via an exhaustive trial 
and error approach. More rigorously, since the ratio of 
feedback bits over feedforward bits is vanishingly small, 
the loss of ACK bits will not lead to an increase in the 
equivocation at Eve. 

C. Spatial and Temporal Correlation 

One of the important insights revealed by Theorem [T] is the 
negative relation between the achievable key rate and the spa- 
tial correlation between the main and eavesdropper channels. 
In fact, one can easily verify that the key rate collapses to zero 
in the fully correlated case (i.e., hf, = h^ with probability 
one) independent of the marginal distribution of ht- In this 
section, we propose a solution to this problem based on a novel 
utiUzation of "dumb antennas." The concept of dumb antennas 



was introduced in ifTOl as a means to create artificial channel 
fluctuations in slow fading environments. These fluctuations 
are used to harness opportunistic performance gains in multi- 
user cellular networks. As indicated by the name, one of the 
attractive features of this approach is that the receiver(s) can be 
oblivious to the presence of multiple transmit antennas ifTOl . 
We use dumb transmit antennas to de-correlate the main and 
eavesdropper channels as follows. Alice is equipped with N 
transmit antennas, whereas both Bob and Eve still have only 
one receive antenna. In order to simplify the presentation, we 
focus on the case of the symmetric fully correlated line of 
sight channels; whereby the magnitudes of the channel gains 
are all equal to one. The rest of our modeling assumptions 
remain as detailed in Section III-AI The same data stream 
is transmitted from the N transmitted after applying an i.i.d 
uniform phase to each of the N signals. Also, Bob is assumed 
to perturb its location in each ARQ frame resulting in a random 
and independent phase shift (from that experienced by Eve). 
Our multiple transmit antenna scenario, therefore, reduces to 
a single antenna fading wiretap channel with the following 
equivalent channel gains 



^eq _ 
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where 9iB, OiE, and Om are i.i.d. and uniform over [— tt, tt] 
that remain fixed over one ARQ frame and change randomly 
from one ARQ frame to the next. One can now easily see that 
as N increases, the marginal distribution of each equivalent 
channel gain approaches a zero-mean complex Gaussian with 
unit variance (by the Central Limit Theorem (CLT) ifTTl ). It is 
worth noting that the correlation coefficient between the two 
channels' equivalent power gains depends on the instantaneous 
channels' phases ^is's and 6iE'& for i = 1, . . . ,N. It can be 
easily shown that, in the limit of N —>■ oo, this correlation 
coefficient between the two channels power gains converges, 
in a mean-square sense, to zero (please refer to Appendix |B] 
for the proof). Therefore, in the asymptotic limit of a large 
N, our dumb antennas approach has successfully transformed 
our fully correlated line of sight channel into a symmetric 
and spatially independent Rayleigh wiretap channel; whose 
secrecy capacity (assuming Gaussian inputs) is reported in 
Theorem [T] The numerical results reported in the sequel 
(Section |IV-A| i demonstrate that this result is not limited to 
fine of sight channels, and that this asymptotic behavior can 
be observed for a relatively small number of transmit antennas. 
Thus far, we have assumed that the channel gains affecting 
different frames are independent. This assumption renders 
optimal the stationary rate allocation strategy of Theorem [T] 
In this section, we relax this assumption by introducing 
temporal correlation between the channel gains experienced 
by successive frames. Assuming high temporal correlation, 
if a stationary rate strategy is employed and it is less than 
Eve's channel capacity, all the information transmitted will be 
leaked to Eve. On the other hand, if the rate is much less 
than Bob's channel capacity, additional gains in the secrecy 



capacity will not be harnessed. Hence, we are going to employ 
a rate adaptation strategy in which the optimal rate used 
in each frame is determined based on the past history of 
ACK/NACK feedbacks and the rates used in previous blocks. 
More specifically, following in the footsteps of lfT2l . the 
optimal rate allocation policy can be formulated as follows 
(assuming a short term average power constraint P and a 
Gaussian input distribution). 



Cs,t+ J2 ^' 



R 



t-i 



K 



t-i 



(3) 



Rt = argmax •; i L.s,t + 2_^ ^s,k 

I \ k=t+i / J 

where 

C.,t - Pr(i?t < log2(l + /ib,tP))E,, Ji?t - log2(l + /leP)] ^, 

where Rt_i — \Rq^--- ,i?t_i] is the vector of previous 
transmission rates and Kt_i = [/\o, • • • , A't_i] is the vector 
of previously received ACKs and NACKs. The basic idea is 
that, after frame (i — 1), the posteriori distribution of h\, is 
updated using Rt^i and Kt_i. The expected secrecy rate, in 
future transmissions, is then maximized based on this updated 
distribution. It is worth noting that the above expression 
assumes no spatial correlation between /le and /i^. This 
assumption represents the worst case scenario since it prevents 
Alice from learning the channel gains impairing Eve through 
the ARQ feedback. Since the channel gain is not observed 
directly, but through an indicator in the form of ARQ feedback, 
the optimal rate assignment, when the channel is Markovian, 
is a Partially Observable Markov Decision Process (POMDP). 
The solution of this POMDP is computationally intractable 
except for trivial cases. This motivates the following greedy 
rate allocation policy 



Rt 



arg max 
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C., 



R-t-i, Kt_i 



Interestingly, the numerical results reported in Section IIV-AI 
demonstrate the ability of this simple strategy to harness 
significant performance gains in first order Markov channels. 
Note that the performance of any rate allocation policy can 
be upperbounded by the ergodic capacity with transmitter CSI 
(and short term average power constraint P), i.e.. 



Ce 



E 



hp .hi 



[\og^{i + htP)-iog^(i + h,p)y 



(4) 



which is achieved by the optimal rate allocation policy Rt ~ 
log2(l + hb^tP)- In fact, one can view the rate assignment 
policy of (O as an attempt to approach the rate of (01 by 
using the ARQ feedback to obtain a better estimate of /if,_t 
after each fading block. 

D. Explicit Coding Schemes 

This section develops explicit secrecy coding schemes that 
allow for sharing keys using the underlying memoryless ARQ 
protocol with realizable encoding/decoding complexity and 
delay. We proceed in three steps. The first step replaces the 
random binning construction, used in the achievability proof 
of Theorem [T] with an explicit coset coding scheme for 
the erasure-wiretap channel. This erasure-wiretap channel is 
created by the ACK/NACK feedback and accounts for the 
computational complexity available to Eve. In the second 



step, we limit the decoding delay by distributing the key 
bits over only a finite number of ARQ frames. Finally, we 
replace the capacity achieving Gaussian channel code with 
practical coding schemes in the third step. Overall, our three- 
step approach allows for a useful performance-vs-complexity 
tradeoff. 

The perfect secrecy requirement used in the information the- 
oretic analysis does not impose any limits on Eve's decoding 
complexity. The idea now is to exploit the finite complexity 
available at Eve in simplifying the secrecy coding scheme. 
To illustrate the idea, let's first assume that Eve can only 
afford maximum likelihood (ML) decoding. Hence, successful 
decoding at Eve is only possible when Rq < log2{l+heP), for 
a given transmit power level P. Now, using the idealized error 
detection mechanism. Eve will be able to identify and erase 
the frames decoded in error resulting in an erasure wiretap 
channel model. In practice. Eve may be able to go beyond 
the performance of the ML decoder For example. Eve can 
generate a list of candidate codewords and then use the error 
detection mechanism, or other means, to identify the correct 
one. In our setup, we quantify the computational complexity 
of Eve by the amount of side information Re bits per channel 
use offered to it by a Genie. With this side information, the 
erasure probability at Eve is given by 

e = Pr(i?o-i?c>log2(l + /ieP)), (5) 

since now the channel has to supply only enough mutual 
information to close the gap between the transmission rate 
Rq and the side information Re- The ML performance can be 
obtained as a special case of Q by setting Re = 0. 

It is now clear that using this idea we have transformed 
our ARQ channel into an erasure-wiretap channel. In this 
equivalent model, we have a noiseless link between Alice and 
Bob, ensured by the idealized error detection algorithm, and an 
erasure channel between Alice and Eve. The following result 
characterizes the achievable performance over this channel. 

Lemma 2: The secrecy capacity for the equivalent erasure- 
wiretap channel is 



Ce 



max \ RqI 

Ro,P<P 



l((i?0<log2(l + /lfcP)) 



iR0-Rc>log2{l + heP))) 

max (i?oPr(i?o < log2(l + hP), 

n.P<P ^ 

i?0-i?c>log2(l + /ieP))}. 



Ro.P<P 



In the case of spatially independent channels, the above 
expression reduces to 



Ce = max \Ro Pr(i?o < log2(l + hP)) 

Ro,P<P '- 

Pr(i?o-i?c>log2(l + /ieP))}. 



(6) 



The proof follows from the classical result on the erasure- 
wiretap channel jTsl . It is intuitively appealing that the ex- 
pression in ^ is simply the product of the transmission 
rate per channel use, the probability of successful decoding 
at Bob, and the probability of erasure at Eve. The main 



advantage of this equivalent model is that it lends itself to 
the explicit coset LDPC coding scheme constructed in lfT4l . 
ifTSl . |fT6l . In summary, our first low complexity construction 
is a concatenated coding scheme where the outer code is 
a coset LDPC for secrecy and the inner one is a capacity 
achieving Gaussian code. The underlying memoryless ARQ 
is used to create the erasure-wiretap channel matched to 
this concatenated coding scheme. 

The second step is to limit the decoding delay resulting 
from the distribution of key bits over an asymptotically large 
number of ARQ blocks in the previous approach. To avoid 
this problem, we limit the number of ARQ frames used by 
the key to a finite number k. The implication for this choice 
is a non-vanishing value for the secrecy outage probability. 
For example, if we encode the message as the syndrome of 
the rate (fc — l)/fc parity check code. Eve will be completely 
blind about the key if at least one of the k ARQ frames is 
erased lfT4l . ifTsl . lfT6l (Here the distilled key is the modulo- 
2 sum of the key parts received correctly). The secrecy 
outage probability, assuming spatially independent channels, 
is therefore 



Pout=Pr min \og^{l + h,{])P) > R^ - Re] , (!) 

ViG{i,...,fc} / 

where he{l),...,he{k) are i.i.d. random variables drawn accord- 
ing to the marginal distribution of Eve's channel. Assuming a 
Rayleigh fading distribution, we get 



exp(-p [2^-^—1] 



(8) 



Under the same assumption, it is straightforward to see that the 
average number of Bernoulh trials required to transfer k ARQ 

p 

resulting in a key rate 

Ro Ro ( 2«"-l 



Rk = 



Nn 



■ cxp 



p 



(9) 



Therefore, for a given R^ and P, one can obtain a tradeoff 
between Pout and R^ by varying Rq. Our third, and final, step 
is to relax the assumption of a capacity achieving inner code. 
Section IIV-AI reports numerical results with practical coding 
schemes, including uncoded transmission, with a finite frame 
length ni. Overall, these results demonstrate the ability of the 
proposed protocols to achieve near-optimal key rates, under 
very mild assumptions, with realizable encoding/decoding 
complexity and bounded delay that are of practical relevance. 
In the next section, we introduce an ARQ-based secrecy 
scheme for Wi-Fi networks that builds, in principle, on these 
protocols. 

III. ARQ Security for Wi-Fi Networks 

A. Wi-Fi Security: The State of the Art 

Before going into the details of our design, we provide 
some necessary background about the existing Wi-Fi security 
protocols. More specifically, we describe how "per-frame 
keys" are generated and the critical dependence of all the 
currently-known eavesdropping attacks on weaknesses in the 
per-frame key generation mechanisms. 



In general, the security functions of different Wi-Fi proto- 
cols could be separated into three layers, namely, an authenti- 
cation layer, an access control layer and a WLAN layer ifTTl . 
In this paper, we focus only on the processes involved with 
encrypting and decrypting frames, that are found in the 
WLAN layer solely (the Wired Equivalent Privacy (WEP), 
the Temporal Key Integrity Protocol (TKIP), and the Counter 
Mode with Cipher Block Chaining Message Authentication 
Code Protocol (CCMP) standards). The reader is referred 
to ITtI for details on the other two layers. We refer to the 
overall processes of sending and receiving frames securely as 
encapsulation and decapsulation, respectively. Those processes 
fall within WEP, TKIP (in WPA or WPA2) and CCMP (in 
WPA2). Figure [T] shows two abstract schematic diagrams of 
frame encapsulation and decapsulation which will be useful in 
describing the integration of the ARQ-CROWN overlay with 
each of these protocols. 

1) Security at the WLAN Layer: The encapsulation process 
starts by what we refer to as "security parameters generation", 
which is the first block in Figure |l(a)| The sole function of 
those generated parameters is to ensure the use of a fresh 
key for each frame. In the WEP protocol, a 24-bit value, 
called the Initialization Vector (IV), is generated in this step. 
TKIP generates a similar 48-bit value, called TKIP Sequence 
Counter (TSC), while CCMP generates the Packet Number 
(PN), of length 48 bits as well. 

The WEP protocol does not specify how the IV should be 
generated, although it recommends that the IV value should be 
different for each frame HI. In TKIP and CCMR both the 
TSC or the PN are initialized by an agreed-upon value and 
are incremented by one for each new frame. There are two 
basic reasons for incrementing the TSC (or PN) versus using 
a random value. First, to ensure covering the entire sequence 
space. Second, and more importantly, to defend against replay 
attacks, as will be illustrated shortly. Since those parameters 
will be needed for decapsulation at the receiver, they are sent, 
in-the-clear, in a special security header {Hg) that is inserted 
between the frame's MAC header and the encrypted message. 
The remainder of the encapsulation process involves frame key 
generation (this is where the security parameters are combined 
with some secret root key. Kg, to obtain a key for a specific 
frame), encryption, adding an Integrity Check Value (ICV) and 
possibly a Message Integrity Check (MIC) value. We refer the 
reader to ifTTl for a comprehensive study on each of those 
steps. 

At the receiver side (Figure |l(b)| i, the security parameters 
are extracted from the security header. The WEP protocol does 
not perform any checks on this value and directly proceeds to 
the next steps. However, for TKIP and CCMP, once the TSC 
(or the PN) is extracted from the security header, a check 
is performed. If the recovered TSC (PN) is less than the 
last received TSC (PN), the frame is considered a replayed 
version of a previous frame and is discarded. Subsequent 
decapsulation processes include decryption and ICV and MIC 
tests. Those tests serve as means to ensure that the frame 
has been decrypted correctly and has not been maliciously 
tampered with. For the purpose of this paper, we use the 
symbol V to refer to WEP's IV, TKIP's TSC or CCMP's PN. 
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(a) The encapsulation process. 



(b) The decapsulation process. 



Fig. 1: WLAN-layer security functions. For a given frame, M is the plaintext, C is the ciphertext, and F is the transmitted 
packet. Hmac and Hg denote the MAC and security headers for that frame, respectively. 



2) Wi-Fi Security Attacks: Borisov, Goldberg, and Wagner 
first reported WEP design failures in I.18J . They showed that 
the ICV test fails to detect malicious attacks and that IV reuse 
allows for packet injection. Later, the first key recovery attack 
against WEP (the EMS attack) was presented by Eluhrer, 
Mantin and Shamir |fT9l using some weaknesses of the RC4 
Key Scheduling Algorithm. They also showed the recovery of 
the WEP key becomes much easier if some IVs that satisfy 
certain properties (weak IVs) were used. The KoreK chopchop 
attack attempted at breaking WEP using the CRC32 checksum 
(the ICV test) ||20| . KoreK also presented another group of 
attacks that do not rely on weak IVs ET\ . A rather efficient 
iterative algorithm that recovers the WEP key was proposed 
by Klein in [221. On the other hand, the Bittau attack made 
use of the fragmentation support of IEEE 802.11 to break 
WEP 1231 . Finally, Pyshkin, Tews, and Weinmann presented 
more enhancements to the Klein attack by using ranking 
techniques Q. At the moment, this recent attack is considered 
to be the most powerful attack against WEP. 

Statistical WEP attacks, e.g. ||191 , could, in principle, use 
only passive eavesdropping in order to collect a large number 
of frames with known IVs. However, they often use injection 
or replay techniques to shorten the listening time. For example, 
an attacker might continuously replay captured ARP (Address 
Resolution Protocol) request packets. Consequently, the Ac- 
cess Point (AP) will begin to broadcast those ARP request 
packets, and IVs will be generated at a higher rate. Other 
WEP attacks do not need a large number of IVs. Instead, they 
rely on injection, e.g., Il20l or ||231 . 

In 2004, weaknesses in the temporal key hash of TKIP were 
shown li24l . An attacker could use the knowledge of a few 
keystreams and TSCs to predict the Temporal Key and the 
MIC Key used in TKIP Later in 2008, Tews and Beck Es] 
made the first practical attack against TKIP. In a chopchop-like 
manner, an attacker can recover the plaintext of a short packet 
and falsify it within about 12-15 minutes, in a WPA network 
that supports IEEE802.11e QoS features. In 2009, a practical 



falsification attack against TKIP was proposed (HI, in which 
the Beck-Tews attack was applied to a man-in-the-middle 
attack to target any WPA network. The latter attack takes 
about one minute. CCMP arguably provides robust security. 
However, a weakness in the nonce construction mechanism 
in CCMP was recently discovered ||9]. A predictable PN in 
CCMP was shown to decrease the effective encryption key 
length from 128 bits to 85 bits ||9l. 

In summary, the previously mentioned attacks rely on 
collecting a large number of ciphertext along with the cor- 
responding security parameters which are sent in-the-clear, 
whether through passive eavesdropping or innovative active 
techniques. As detailed in the following section, the ARQ- 
CROWN overlay solves this problem by exploiting the oppor- 
tunistic secrecy principle resulting from the wireless multipath 
fading environments. 

B. ARQ-CROWN: An Overview 

ARQ-CROWN is designed for Wi-Fi networks operating 
in infrastructure mode that may use any of the IEEE802.il 
security protocols, i.e., WEP, TKIP or CCMP for encryption. 
The network is composed of one AP and L clients, in the 
presence of one attacker The AP and all clients follow the 
ARQ mechanism adopted in the IEEE 802. 1 1 standard, i.e., for 
each transmitted frame, the receiver acknowledges the receipt 
of that frame through a short ACK message. We assume 
disabled retransmissions, i.e., if a timeout event occurs at the 
transmitter (the data frame or the ACK message were lost), 
it simply discards the current frame and moves to further 
transmissiono 

Key management and re-keying policies are aspects that fall 
outside the scope of this paper For this reason, we assume 
that once a wireless client is authenticated and has gained 
access to the network, it shares root keys with the AP. From 

'The analysis provided in this paper could be easily extended to the case 
of enabled retransmissions. 
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Fig. 2: WLAN-layer security functions incorporating the ARQ-CROWN overlay. The shaded blocks represent ARQ-CROWN 

modifications 



the simplest setting of one-key-for-all in the WEP protocol, 
to a rather complicated key hierarchy in WPA and WPA2, 
our discussion would be on a per-frame basis. Hence, we 
assume that, for each frame, the client and the AP agree 
on which key is used to encapsulate/decapsulate this frame. 
Throughout the sequel, this secret key is referred to as Kg- 
In the proposed ARQ-CROWN overlay, we transform the 
V values of different frames into additional private keys 
that are shared among the legitimate nodes. ARQ-CROWN 
entirely focuses on the V value of each frame, leaving the 
secret root key, Ks, unaltered. Figure |2] shows the modified 
WLAN layer when overlaid by ARQ-CROWN. The figure 
shows three new separate modules that run independently from 
the encapsulation and decapsulation processes; namely, an 
initialization module, an ACK/Timeout detection module and 
a group update module. Those modules interact solely with the 
security parameters generation and extraction blocks that are 
modified to incorporate ARQ security. Outputs of those steps 
are fed to the remaining functional blocks of encapsulation 
and decapsulation, which remain exactly the same as in the 
original standards. For ease of presentation, we begin by using 
a simple three-node network model. In this network, Alice 
corresponds to one legitimate client. Bob corresponds to the 
AP and Eve is a malicious attacker We later show how to 
extend our scheme to secure multicast flows. 

The initialization module works on letting Alice and Bob 
agree on an initial value, Vq, that will be later used in securing 
unicast flows in the Alice-Bob and Bob-Alice directions. It 
runs, only once, after Alice is associated and authenticated and 
before data ports are open. In essence, the process is similar to 
the one described in Section III- Al but with some modifications 
that better utilize the MAC layer of the IEEE 802.11 standard 
and that take into account dealing with an active eavesdropper, 
as will be clear with further discussion. Once this initialization 
phase is complete, secure data communication is allowed. 
The ACK/Timeout detection module runs during open data 
sessions. It works on deciding on the status of each transmitted 
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Fig. 3: The ARQ-CROWN initialization phase. 



unicast frame, which is referred to as Q. This status helps 
both Alice and Bob update the V values for the unicast 
frames they exchange, for each transmitted frame. Finally, the 
group update module allows for securing multicast data. In 
the following section, we show how each of those modules 
operate and rigorously analyze their security. 

C. ARQ-CROWN: Operation and Security Analysis 

1) The Initialization Phase: The initialization phase works 
as illustrated in Figure [3] First, Alice transmits an initialization 
frame, carrying a sequence number 1 and random number i?i, 
and starts a timer. Once Bob receives this frame, he replies 
with another initialization frame, carrying a sequence number 
2, and another random number i?2- If Alice receives this frame 
before a timeout event occurs, she stores the pair (i?i,i?2) 
for later use, and transmits another initialization frame with 
sequence number 3 and a new random number R^. Otherwise 



(a timeout event occurs), Alice discards Ri, and transmits 
another initialization frame with sequence number 1 and a 
new random number R^. The process continues till Alice 
has stored n initialization random values. On the other side. 
Bob keeps on responding to each initialization frame he gets 
with a sequence number incremented by one, and a newly 
generated random number. However, he stores only the last 
pair it has for any given sequence number The length of each 
transmitted random number is 24 bits if WEP is used, or 48 
bits otherwise. Finally, the initial value, Vq, is the modulo- 
2 sum of the random number pairs successfully received by 
both Alice and Bob. 

The security of this protocol in the presence of a passive 
Eve directly builds on the results provided in Section III-DI 
More specifically, as Eve becomes completely blind about Vq 
if she misses one of the values constituting Vq, the probability 
of secrecy outage in our case (corresponding to (|7|i) is 

Po^l[il~lAE,)'[[{l-lBE,), (10) 

ieA jeB 

where A and B are the sets of time indices that corre- 
spond to the frames stored by Alice and Bob, respectively. 
^AEn ■ ■ ■ ,7AB„_i denote the frame loss probabilities in the 
Alice-Eve channel whereas 7s £2 : ■ • ■ : 1be„ denote the frame 
loss probabilities in the Bob-Eve channel. All of those proba- 
bilities are random variables that are independently and iden- 
tically distributed according to Eve's channels' distributions. 
Since the size of each of A and B is n/2. It is evident that, as 
n increases, Po decreases and we achieve better security gains, 
at the expense of a larger delay in the initialization phase. 

On the other hand, if Eve is active, she will be capable of 
injecting or replaying initialization frames, since they are not 
encrypted. However, any injection or replay attempt will cause 
a disagreement between Alice and Bob on Vq. We will later 
show that if Alice and Bob do not agree on Vq, they will not 
be able to exchange any data frames. Consequently, a replay 
or injection attack directly corresponds to a Denial of Service 
(DoS) attack. We finally note that in the case of using the WEP 
protocol, the initialization frames, being un-encrypted, reveal 
no information about the secret key. Kg, and thus cannot be 
used in any statistical WEP attack. 

2) Securing Unicast Data: Right after initialization, our 
protocol works on updating the V values, used to encapsulate 
each unicast data frame sent on the Alice-Bob and Bob-Alice 
channels. To illustrate, first consider the i*'' data frame to 
be securely transmitted, using any security protocol, from 
Alice to Bob. Alice starts by generating a random number 
(of length 24 if WEP is used, or 48 bits otherwise) referred to 
as the header- V, Vh{i). The ARQ-CROWN protocol must not 
use two consecutive equal header-V's. This property will be 
shown to be useful for defending against replay attacks. This 
value, Vh{i), is put in the frame's security header, according 
to the specifications of the security protocol used. However, 
unlike the standards, the value used by ARQ-CROWN in 
encapsulating the frame, denoted by Ve{i), is the inodulo-2 
sum of the current header- V, Vh{i), and all of the header-V's 
previously transmitted by Alice and successfully received by 



Bob. The update equation for Ve is then 

^Vh{i)®vs-i), 



Ved) 



if Q(i-l) = l, 



Vh {i)®VS-l)®Vh{i-l). otherwise. 



(11) 

where Q{i) = 1 if Alice received an ACK for the i*'' 
transmitted frame, Q{i) = otherwise. This status is obtained 
through the ACK/Timeout detection module running at Alice 
(Figure [2(a)| l. The initial value for this algorithm is set by the 
agreed-upon Vq of the initialization phase, i.e., Ve(0) — Vq, 
while Vh{0) = 0. Similarly, when Bob receives the i*'' frame, 
he first extracts Vh{i) from the security header, and then 
performs a check. If Vh{i) = Vh{i — 1), Bob discards the 
frame and treats it as a sign of a replay attack. If not. Bob 
attempts to decapsulate the frame with Vd{i), 

Vdii)^Vhii)^Vdii~l), (12) 

where Vd{0) = Vq. If decryption fails (an ICV failure occurs), 
this would be due to an erasure of the {i — 1)*'' ACK. Bob 
then goes through another decryption attempt, after excluding 
Vhii - 1) from the sum, i.e., with Vd^i) = Vh{i)^Vd{i - 
l)QVh{i — 1). Another failure in decryption is treated as a 
sign of an attack and countermeasures could be invoked (the 
reason behind this will become clear in the security analysis 
to follow). Following this protocol, Alice and Bob perfectly 
agree on the V values used for each frame. We avoid any 
mis-synchronization that could happen due to the loss of an 
ACK frame; without any additional feedback bits (as opposed 
to Section ITl-BI) . The unicast flow from Bob to Alice could be 
secured in the same manner illustrated above. 

We now analyze the security of this phase. In our scheme, 
the collected traffic by a passive Eve becomes useful for any 
attack depending on Eve's ability to correctly compute Ve 
for each captured frame. To achieve this. Eve first has to 
correctly compute Vq, in the initialization phase between Alice 
and Bob. This happens with probability Pq (as given in (fTOb). 
Afterwards, for each captured frame. Eve has to keep track of 
all the previously acknowledged data frames preceding that 
frame. Eve becomes, again, completely blind if she misses 
a single acknowledged frame. Based on this observation, we 
let u denote the total number of data frames that Eve can 
correctly compute their Ve, i.e., the useful frames for Eve. If 
lAE ~ lAB = 7_E for all time indices, the expected number 
of such frames is upper-bounded by 
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where 7^ = 1 — 7_e, n is the total number of initialization 
frames constituting Vq and N is the unicast data session size. 
As shown in Eq. ( fTST l, a slight increase of the number of 
initialization frames results in a significant decrease in the 
number of useful frames for Eve in each session. This has a 
direct impact on the feasibility of many attacks, especially 
the statistical WEP attacks, e..g. lfT9l . as those depend on 
collecting a large number of IVs (T4's in the ARQ-CROWN 
case) to run efficiently. 

We now consider the case of an active Eve. For the unicast 
flow from Alice to Bob, Eve could use Alice's MAC address 
to inject or replay data frames of her choice, or use Bob's 



MAC address to inject ACK messages to confuse Alice. 
However, any injected or replayed frame will lead to mis- 
synchronization between Alice and Bob. This will be detected 
by Bob through two successive ICV failures. As we already 
mentioned. Bob would treat this as a sign of an attack 
and countermeasures could follow. The most straightforward 
countermeasure is to change the keys of the whole network or 
of the attacked sessions. Still, the history of V values built up 
thus far could be used after invoking countermeasures through 
fast means of "re-synchronization" as will be later discussed. 

Frame interception (jamming), in general, is often used 
as part of phishing and MITM attacks. Additionally, when 
ARQ-CROWN is deployed, interception could be used to 
delay the key update process for a certain data flow in the 
network. Defending against those attacks requires additional 
modifications, which are outlined in Section UlI-DI 

3) Securing Multicast Traffic: Thus far, our discussion was 
limited to unicast sessions. Since multicast frames are not 
ACKed, the previously demonstrated scheme cannot be used 
to secure these frames. Our scheme for multicast traffic goes 
as follows: Whenever a client subscribes to a multicast group, 
g, the AP sends a new random value, Vg, to every associated 
client that belongs to this group along with an ID for this 
Vg value (the updates can be periodic or triggered based on 
group membership changes). Those values are transmitted to 
each client over its secure pairwise link with the AP, i.e., as 
encrypted frames. Once the AP makes sure that all clients 
in the group have received Vg, through individual ACKs, 
the AP uses this value to compute Ve , that will be used 
for encapsulating each upcoming multicast frame, within this 
group, i.e., 

VeA^)^VHil)^Vg. (14) 

where Vh{i) is a random header-V as illustrated before. Vh{i) 
and the ID of the used Vg are sent in the security header of 
the multicast frame. Similarly, for members of a particular 
multicast group g, a client uses the recovered information 
from the security header to compute Vd (i) and decapsulate 
any multicast frame addressed to this group. Any failure in 
decryption (ICV test failure) is treated as a sign of attack. 

Finally, in order to defend against replay attacks, the AP 
should not use repeated Vh values within the lifetime of a 
certain Vg. Similarly, whenever a client receives a multicast 
frame, it must check for this condition and treat repeated V/i's 
as a sign of attack. 

Using this ARQ-CROWN multicast overlay, a passive Eve 
cannot make use of any of the multicast frames, as secure 
pairwise links are used to incorporate hidden and periodically- 
updated values into multicast Vp's. On the other hand, an 
active Eve is not capable of injecting or replaying any of the 
multicast frames, as any replay or injection attempt would lead 
to a decryption failure at the legitimate recipients. Finally, for 
WPA and WPA2, since there is a different group key for each 
multicast group and that is updated with group membership 
changes, our proposed multicast approach fits nicely within 
their framework and increases their security. For the WEP 
case, which uses a shared key for all multicast groups, our 
group-V updates add a natural way for group membership 



handling. This gives an additional security advantage for the 
WEP case, without having to change the secret root key. Kg- 

D. Discussion 

The enhanced security, offered by our scheme, is mostly 
evident in the case of WEP. In particular, using the ARQ- 
CROWN overlay, any statistical WEP attack would require 
a substantially longer listening time before launching the 
attack; which makes such attacks virtually impossible. This is 
demonstrated by the experimental results of Section lTV-BI It is 
worth nothing that in order for Eve to have a potential use of 
any unicast session, she has to be present from the beginning of 
this session. Also, our analytical estimate of the lower bound 
on the number of useful frames for Eve (Eq. ( fTOl i) implicitly 
assumes that Eve is totally capable of tracking ACKs, i.e., she 
perfectly knows the status of each unicast frames. In practice, 
especially in large networks where channel conditions could be 
relatively worse, such knowledge is not perfect which causes 
more confusion at Eve's side. 

One can envision several enhancements for the basic im- 
plementation presented here. First, setting the timeout pe- 
riods in the ARQ-CROWN initialization phase should be 
carefully designed so as to defend against MITM attacks 
and at the same time keep the initialization delay within a 
practically acceptable range. A related point is to analyze 
the ACK/timeout events at the legitimate senders to detect 
anomalies in the behavior of the connected nodes for better 
detection of frame interception (jamming). Second, in order to 
reduce the overhead of the initialization phase, the legitimate 
nodes can use the current history for future sessions. Upon 
disassociation, the AP and any legitimate client can store the 
last point in their ARQ-history, and build up on it in newer 
sessions instead of going through new initialization phases. 
This way, the additional link setup delay imposed by the ARQ- 
CROWN overlay is minimized and security is enhanced at the 
expense of additional negligible memory at both sides. This is 
especially useful for designing seamless handoff mechanisms 
for Wi-Fi networks as this information can be transferred 
to the new AP using the IEEE 802.1 If protocol. Finally, 
through small modifications, the ARQ-CROWN overlay could 
be further extended to secure the secret root keys to provide 
more security. The ARQ-CROWN overlay could also be used 
for security at layers higher than the MAC layer, using the 
same underlying principles. 

IV. Numerical and Experimental Results 

A. Numerical Results 

Throughout this part, we focus on the symmetric scenario 
where E(/ib) = E(/ie) = 1. We further assume Rayleigh 
fading channels, for both Bob and Eve. Assuming spatially 
and temporally independent channels, the achievable secrecy 
rate in ^ becomes 
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where Ei{x) = / exp (— i) /i dt. Figure E] gives the varia- 
tion of Cs and Ce (as given in (|6]l) with SNR under different 
constraints on the decoding capabilities of Eve, captured by 
the genie-given side information. Re- It is clear from the figure 
that Ce can be greater than Cg for certain Re and SNR values. 
For instance, in the case of Re = 0, a packet received in error 
at Eve will be discarded without any further attempts at 
decoding. Therefore, the secrecy rate becomes Rq, which is 
larger than that used in (|2]i; Cs{i) = Rq — log2(l + he{i)P), 
where Cs{i),he{i) are the instantaneous secrecy rate, and 
Eve's channel power gain, respectively. Averaging over all 
fading realizations, we get a greater Ce than Cs- It is worth 
noting that, under the assumptions of the symmetric scenario 
and the Rayleigh fading model, the scheme proposed in ||4| is 
not able to achieve any positive secrecy rate (i.e., probability 
of secrecy outage is one). The role of dumb antennas in 
increasing the secrecy capacity of spatially correlated ARQ 
channels is investigated next. In our simulations, we assume 
that the channel gains are fully correlated, but the channel 
phases are independent. The independence assumption for the 
phases is justified as a small change in distance between Bob 
and Eve in the order of several electromagnetic wavelengths 
translates to a significant change in phase. Under these as- 
sumptions, it is easy to see that with one transmit antenna 
the secrecy capacity is zero. In Figure |5] it is shown that 
as the number of antennas N increases, the secret key rate 
approaches the upper bound given by ^, which assumes 
that the main and eavesdropper channels are independent. The 
same trend is observed assuming chi-square distribution with 
different degrees of freedom (the figures were omitted to avoid 
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redundancy). Figure |6] reports the performance of the greedy 
rate adaptation algorithm for temporally correlated channels. 
The channel is assumed to follow a first order Markov model: 



g{t) = (1 - a)g{t - 1) + \j2a-a^w{t) 

where wii) is the innovation process following CA/'(0, 1) 
distribution. As expected, it is shown that as a decreases, 
the key rate increases. For the extreme points when a = 
or a = 1, we get an upper bound, which is the ergodic 
secrecy under the main-channel transmit CSI assumption, and 
a lower bound, which is the ARQ secrecy capacity in case of 
independent block fading channel, respectively. 

Finally, we turn our attention to the delay-limited coding 
constructions proposed in Section III-DI In Figure [T] we relax 
the optimal channel coding assumption and plot key rates 
for practical coding schemes and finite frame lengthes (i.e., 
finite rii). The code used in the simulation is a punctured 
convolutional code derived from a basic 1/2 code with a 
constraint length of 7 and generator polynomials 133 and 
171 (in octal). We assume that Eve is genie-aided and can 
correct an additional 50 erroneous symbols (beyond the error 
correction capability of the channel code). Note that the 
transmission rate is fixed and is independent of the SNR. 
Therefore, a low SNR means more transmissions to Bob and a 
consequent low key rate. As the SNR increases, while keeping 
the transmission rate fixed, the key rate increases. However, 
increasing the SNR also means an increased ability of Eve to 
correctly decode the codeword-carrying packets. This explains 
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why the key rate curves a peak and then decays with SNR. We 
also observe that, for a certain modulation and channel coding 
scheme, reducing the packet size increases the probability of 
correct decoding by Bob and, thus, decreases the number of 
transmissions. However, it also increases the probability of 
correct decoding by Eve and the overall effect is a decreased 
key rate. 

B. Experimental Results 

Our experiments are conducted with a modified version of 
the Madwifi driver that has ARQ-CROWN capabilities. All 
of our testbed nodes are Dell Latitude D830 laptops that 
are equipped with Atheros-based D-Link DWL-G650 WLAN 
cards. All traffic is generated using Netperf 1261 . 

1} Security: One-way traffic was generated between a client 
node (Alice) and the AP (Bob) in the presence of one 
eavesdropper (Eve). Eve's driver was equipped with the ARQ- 
CROWN algorithms, i.e. Eve calculates Ve for each frame 
based on the captured traffic. Two experiments were launched 
in different environments. In the first experiment. Eve had 
relatively better channel conditions, as compared to Bob, while 
in the second, the situation was reversed. We compared the 
Ve values that Eve and Bob obtained for each frame, and 
calculated the number of useful frames for Eve (with different 
numbers of initialization frames). 

The results are reported in log scale in Figure |8] For both 
experiments, the data session size is taken to be 100000 
frames. The large disagreement between the analytical esti- 
mates (evaluated as given in [T3] l and the experimental results 
in Figure |8(b)| is due to the very small average number (up 
to 10~^°) of useful frames when the channel conditions are 
against Eve, which requires an infeasible experiment duration 
to be captured in practice. These results can be used to estimate 
the required time for Eve to capture a total of 1.5 million useful 
frames that is typically required to launch a combined form 
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(b) TKIP is used for encryption. 




Tame Size (byles) 



(c) CCMP is used for encryption. 

Fig. 9: Network throughput for TCP flows with different 
security protocols. 



of the EMS and KoreK attacks ( (271). Under the original 
WEP operation, we assume that Eve needs 10 minutes to 
gather such traffic using passive eavesdropping only. Based on 
this estimate, using ARQ-WEP protocol extends the required 
average listening time for Eve to 1.24 years and 5.07 years, 
for the first and second experiments, respectively, using only 
an initialization overhead of 0.001. Note that under ARQ- 
CROWN operation. Eve cannot use any active techniques to 
reduce the listening time. For TKIP and CCMP, the decreased 
number of useful frames at Eve hampers her ability to exploit 
the weaknesses that were discussed in Section IIII-A2I 

2) Throughput: Here we compare the performance of the 
proposed ARQ-CROWN overlay with the baseline software 
implementations of WEP, TKIP, and CCMP in the Madwifi 
driver To obtain a measure of performance if the proposed 
ARQ-CROWN overlay was implemented in hardware, we also 
include the results of all hardware implementations. Figure |9] 
reports the aggregate network throughput for TCP flows, with 
different packet sizes, for WER TKIP, and CCMP One can 
see that using the ARQ-CROWN on top of WEP (ARQ- 
WEP) results in a throughput degradation of 11.57% over the 
Madwifi software implementation of WEP (SW-WEP), for a 
packet size of 1500 bytes. The corresponding degradation for 
TKIP and CCMP is 15.61% and 15.26%, respectively This 
quantifies the processing overhead of ARQ-CROWN operation 
(as described in Section |III-C2| |. As the packet size increases, 
the overhead introduced by the ARQ-CROWN decreases, as 
it is amortized over a larger packet size. 
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V. Conclusions 

This paper developed a unified framework for sharing secret 
keys using existing ARQ protocols. The underlying idea is to 
distribute the key bits over multiple ARQ frames and then use 
the authenticated ACK/NACK feedback to create an equiva- 
lent degraded channel at the eavesdropper Our information 
theoretic foundations established the achievability of non-zero 
secrecy rates even when the eavesdropper is experiencing a 
higher average SNR than the legitimate receiver and shed Ught 
on the structure of optimal ARQ secrecy protocols. It is worth 
noting that our approach does not assume any prior knowledge 
about the instantaneous CSI; only prior knowledge of the aver- 
age SNRs seen by the eavesdropper and the legitimate receiver 
are needed. Our secrecy capacity characterization revealed the 
negative impact of spatial correlation and the positive impact 
of temporal correlation on the achievable key rates. The former 
phenomenon was mitigated via a novel "dumb antennas" 
technique, whereas the latter was exploited via a greedy 
rate adaptation policy. Furthermore, low complexity secrecy 
coding schemes were constructed by transforming our channel 
to an erasure wiretap channel which lends itself to explicit 
coset coding approaches. Building on this solid foundation, 
we developed a novel approach for ARQ security in Wi-Fi 
networks (i.e., ARQ-CROWN). Our ARQ-CROWN overlay is 
shown to offer provable information theoretic confidentiality 
guarantees which complement the security measures provided 
by the underlying WEP, WPA, and WPA2 protocols. These 
claims were validated by experimental results, obtained from 
our prototype, which illustrate the ability of ARQ-CROWN to 
mitigate all known eavesdropping attacks, whether active or 
passive, at the expense of a throughput loss in the order of 
10%-15% using software encryption. 

The most interesting part of our work is, perhaps, the 
demonstration of the utility of information theoretic secu- 
rity concepts in securing state of the art wireless networks. 
In our opinion, the success of such concepts in practice will 
depend critically on the ability to apply them to complement 
existing security mechanisms rather than replacing them. We 
hope that this first step will stimulate further work aiming at 
bridging the gap between the two worlds. 

Appendix A 
Proof of Theorem[T] 

A. Achievability Proof 

The proof is given for a fixed average power P < P 
and transmission rate i?o- The key rate is then obtained by 
the appropriate maximization. Let Rg ~ Cs — 6 for some 
small (5 > and R ^ Rq — e. We first generate all binary 
sequences {V} of length mR and then independently assign 
each of them randomly to one of 2"^'^ groups, according to 
a uniform distribution. This ensures that any of the sequences 
are equally likely to be within any of the groups. Each secret 
message w E {1, • • • , 2"-'^=} is then assigned a group V(w). 
We then generate a Gaussian codebook consisting of 2"i^^''~'^' 
codewords, each of length rii symbols. The codebooks are then 
revealed to Alice, Bob, and Eve. To transmit the codeword, 
Alice first selects a random group v(i) of riiR bits, and then 



transmits the corresponding codeword, drawn from the chosen 
Gaussian codebook. If Alice receives an ACK bit from Bob, 
both are going to store this group of bits and selects another 
group of bits to send in the next coherence interval in the 
same manner If a NACK was received, this group of bits is 
discarded and another is generated in the same manner This 
process is repeated till both Alice and Bob have shared the 
same key w corresponding to nRg bits. We observe that the 
channel coding theorem implies the existence of a Gaussian 
codebook where the fraction of successfully decoded frames 
is given by ^ = Pr (i?o < log2 (1 + hbP)) , as ni — > cxd. 
The equivocation rate at the eavesdropper can then be lower 
bounded as follows. 

nR, = H{W\Z'\K\GlG':) 

= i/(Ty|Z",G'g,G^) 

= H {W, Z"'\Gl, Gl) - H {Z"'\Gl, Gl) 

= H {W, Z"\ X™|Gg, G;!) - H {Z"'\GtGl) 

-H{X"'\W,Z'''-,G'i,G'}) 
= H (X"|Gg, G;!) + H {W, Z"|X'", GIG"^) 

- H (Z™|G;J, G^) - H (X"|W^, Z™, G'i,Gt) 
> H (X™|G;J, Gl) + H {Z"'\X"', Gl, Gl) 

- H {Z"'\Gl, Gl) - H {X"'\W, Z™, Gl.Gl) 
= H (X™|G;J, Gl) - I (Z™; X"'\Gl, Gl) 

-H{X"'\W,Z'''-,Gl,Gl) 
= H (X"|Z", Gl, Gl) - H {X"'\W, Z", Gl, Gl) 



{b) 



(c) 



J2HiXij)\ZiJ),Gt{j),G,ij)) 
-H{X"'\W,Z'''-,Gl,Gl) 



> J2 H{Xij)\Z{j),Gtij),G,{j)) 

-H{X''''\W,Z"'-,Gl,Gl) 
= Y. [HiXij)\G,ij),G,ij)) 

-IiXiJ);Zij)\GtU),Geij))] 
-H{X"'\W,Z"',Gl,Gl) 

> J2 ni[Ro-\og^{l + Kij)P)^e\ 

~H{X''''\W,Z"'-,Gl,Gl) 



>Y.n,{ [Ro - log2 (1 + h,{j)P)]+ - e} 

-H{X"'\W,Z'''-,Gl,Gl) 
^^ nCi'^^ - H (X™|M^, Z™, Gl,Gl) - me. (16) 

In the above derivation, (a) results from the independent choice 
of the codeword symbols transmitted in each ARQ frame 
which does not allow Eve to benefit from the observations 
corresponding to the NACKed frames, (b) follows from the 
memoryless property of the channel and the independence 
of the X(j)'s, (c) is obtained by removing all those terms 
which correspond to the coherence intervals j ^ J\fm, where 



A/"™ = {j G {1, • ■ ■ , a} : hb{j) > he{j)\'ijj = 1}, where ij,' is 
a binary random variable and i/; = 1 indicates that an 
ACK was received, and (d) follows from the ergodicity of 
the channel as n,m — !• od. Now we show that the term 
H{X'^\W, Z"^,Gl, Gl) vanishes as ni ^ cx) by using a list 
decoding argument. In this list decoding, at coherence interval 
j, the wiretapper first constructs a list Cj such that x(j) G Cj 
if (x(i), z(i)) are jointly typical. Let £ = £i x £2 x • • ■ x ^a- 
Given w, the wiretapper declares that ic™ = (x™) was trans- 
mitted, if x™ is the only codeword such that x™ € B{w)\^C, 
where B{w) is the set of codewords corresponding to the 
message w. If the wiretapper finds none or more than one such 
sequence, then it declares an error. Hence, there are two types 
of error events: 1) £1. the transmitted codeword x™ is not in 
£, 2) £2. 3x™ 7^ X™ such that x'" e B{w)nC. Thus the error 
probability Pr(x"' ^ xj") = Pr(£i U £2) < Pr(fi) + Pr(£2)- 
Based on the Asymptotic Equipartition Property (AEP), we 
know that Pr(£i) < ei. In order to bound Pr(£'2), we first 
bound the size of £,. We let 



M^UMj)) 



1, {x{j),z{j)) are jointly typical, 
0, otherwise. 



Now 



E{||£,||}=Ei^0,(x(j)|z(j)) 

lx(i) 

[ x(j)#xt(j) 

<1+ Y. IE{0,(x(j)|z(j))} 

<• -|^ _|_ 2"l[-R0-log2(l + /leb)P)-«] 



Hence 

E|||£|| 



=niii^.ii} 



j=i 



E ni([fl^o-log2(l+/iE(i)P)-e] + + ^) 
3 = 1 ^ w 



2^= 



Pr(f2) < E <^ ^ Pr(x'" e B(u;)) 

(a) 

< E{l|£||2-"^=} 

-nffl.-^ f:^{lRo-log2{l+h,(j)P)-e] + + ^)j 
-n(Rs-it{lRo^log2{l+h,{j)P)] + + ^)+^^^j 

where (a) follows from the uniform distribution of the code- 
words in B{w). Now as rii ^- 00 and a -^ cx), we get 

Pr(£2) < 2-"(^^''-*-^="+'^^) = 2-"('=^-*\ 



where c = Pr(/ib > h,,)- Thus, by choosing e > ((5/c), the 
error probability Pr(52) — > as 71 — )- 00. Now using Fano's 
inequality, we get i/(X™|VK, Z™, G^, G°) < n(5„ ^ as 
rn, n -^ cx). Combining this with (fTSI l, we get the desired 
result. 

B. Converse Proof 

We now prove the converse part by showing that for any 
perfect secrecy rate Rg with equivocation rate R^ > Rs — £ 
as n, m — s- ex, there exists a transmission rate Rq, such that 

Rs < e{ [i?o - log2 (1 + /leP)] + 
I(i?0<log2(l + /l6-P))}. 

Consider any sequence of (2"^= , m) codes with per- 
fect secrecy rate Rg and equivocation rate Re, such that 
i?e > i?s — e as n — > 00. We note that the equivocation 
H{W\Z",K",GlGl) only depends on the marginal distri- 
bution of Z", and thus does not depend on whether Z{i) is a 
physically or stochastically degraded version of F(i) or vice 
versa. Hence we assume in the following derivation that for 
any fading state, either Z{i) is a physically degraded version 
of Y{i) or vice versa (since the noise processes are Gaussian). 
Thus we have 

nRe=H{W\Z'',K",GlGl) 



(a) 



(b) 



H{W\Z"',Gl,Gl) 



< HiWlZ'"-, Gl, G^e) - iI(P^|Z™, r™, Gl^G",) 

< /(X™; r"|Z™, Gt, G^) + TO(5™ 
= iJ(r"|Z'",GjJ,G^) 

- i/(r™|X'", Z", Gt,Gt) + mSm 



J2[H{Y{{)\Y^-\Z"^-,GlGt) 



- i/(r(^)|r-^ X", z", g;j, g:)] + mJ, 



(d) 



4=1 



< >^[i/(y(*)|ZW,G,(z),GeW 
=1 

i/(r(l)|X(l), Z(i), G,(z), Ge(l))] + mSrr 

" I{X{iy,Y{i)\Z{i),Gb{i),Ge{i)) + mSr, 
^=^^/(X(*);r(*)|G,W,Ge«) 

i=l 

- /(XW; Z(z)|G,,(i), Ge W) + m<5™ 

a 

< ^ i?o - log2(l + heii)P) + mS,n 

a 

<y\Rn - log2(l + K{i)P)]+ + mS^ 



1=1 



(/) 



Re < E{ [Ro - log2 (1 + heP)]^ 
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I(i?0<log2(l + /l6P))}+/35r„, 

where /3 = Pr(i?o < log2(l + hbP)). In the above derivation, 
(a) resuhs from the independent choice of the codeword 
symbols transmitted in each ARQ frame which does not 
allow Eve to benefit from the observations corresponding 
to the NACKed frames, (b) follows from Fano's inequal- 
ity, (c) follows from the data processing inequality since 
W ^ X"^ -^ (y™, Z") forms a Markov chain, (d) follows 
from the fact that conditioning reduces entropy and from the 
memoryless property of the channel, (e) follows from the fact 
that I{X;Y\Z) = IiX;Y) - I{X;Z) as shown in HI, (f) 
follows from ergodicity of the channel as m, n — > oo. The 
claim is thus proved. 

Appendix B 
Proof of Decorrelation 

In this appendix, we show that employing multiple transmit 
antennas makes the correlation between Eve's and Bob's 
channel power gains converge to zero, in a mean-square sense, 
as the number of antennas N goes to oo. Let li 



N-l N 



h 



neq\2 



9ir and 
Assuming all 0's to be uniformly distributed in 



the interval [— 7r,7r], we get. 



h 



1 

TV 



N 

E 



1 

N 



cos {6,B. 



N-l N 



N 



^Sil 



{f^iR + ^is) 



N + 2^Y1 ^cos{e^R + e.,B)cos{e^R + ejB) 

i=l j=i+l 

+ sin [OiR + e,B) sin [O^r + 9jb) } 

N~l N 

= 1 + ^ ^ E ^°^ (^« + ^^B - djR - e,B) ■ (17) 

Similarly for I2, 

2 N-l N 

i—1 j—i+1 

Now, taking the expectation of iT% and (fTSl l with respect to the 
random phases applied on the transmit antenna array 6iR for 
given values of 9iE's and Bis's, we get E (Zi) = E (/2) = 1, 
and 

E(/i)-E(/2) = l, 

2 ^"^ ^ 



iE) 



4=1 j = 4+l 



So, the variance of li and I2 is given by 

var(/i) = var(/2) ^ erf, = crf^ 



= 1 + 



N - 1 



N 

N-l 

N 



Therefore, the correlation coefficient p between the channels' 
power gains is given by 

_ E(/i/2)-E(Zi)E(/2) 

^yvar{ll)^/Var{l2) 



2 



ly E E ^o^ [(^'^ - ^'^) - (^^^ - ^^^) 



i = 4+l 

JV-1 N 

^ ' i=i j=i+i 

where Aj — Oib — Oie and Aj = Ojb — djE- Assuming 
OiB 7 (^lE , (^jB , (^jE are all independent, and uniformly dis- 
tributed in the interval [— 7r,7r], and taking the expectation of 
p over them, we get 

E(p)=0. (19) 

The divergence of p around its mean is given by 

var(p) = a^ 

N-l N 



1)2 E E var(cos(A,~A,)) 



iV2(TV-l)2 ^ ^ 

\ ' i=l j=i+l 

4 N{N - 1) 1 

N^{N- 1)2 ■ 2 '2 
1 



N{N - 1)' 



(20) 



Thus, the standard deviation of p is given by cr = —. — 1 ~ 

^ ^ ^ ^NiN-l) 

j^. It is evident from ( l20l i that var(/9) goes to zero as A^ — > 00. 
That is, the correlation coefficient p converges, in a mean- 
square sense, to zero. 
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